<div dir="ltr">My iptables statements are trying to identify the packets to DROP. The rules should be identifying those Tinc broadcast packets that are destined for the VPN. They need to match the tap interface Tinc is using, and the port that it uses to broadcast the Local Discovery.<div>
These rules really should go in your tinc-up configuration. We can replace tap0 (or whatever Tinc decided to use) with the $INTERFACE variable, and tinc will take care of applying these rules to that interface. These will then automatically applied whenever Tinc is run. What port is Tinc using to broadcast the Local Discovery? Replace ### with the port number.</div>
<div><br><div><div>iptables -I INPUT --in-interface $INTERFACE -m pkttype --pkt-type broadcast --dport ### -j DROP</div><div>iptables -I FORWARD --in-interface $INTERFACE -m pkttype --pkt-type broadcast --dport ### -j DROP</div>
<div>iptables -I FORWARD --out-interface $INTERFACE -m pkttype --pkt-type broadcast --dport ### -j DROP</div><div>iptables -I OUTPUT --out-interface $INTERFACE -m pkttype --pkt-type broadcast --dport ### -j DROP</div></div>
</div><div><br></div><div style>Admittedly, I am not as familiar with netfilter as ebtables. I found this example from this site, saying this will block all broadcast packets, obviously on INPUT.</div><div style><a href="http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html">http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html</a><br>
</div><div style><br></div><div style><pre style="color:rgb(0,0,0);font-size:medium">iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP</pre><pre style="color:rgb(0,0,0);font-size:medium">From here I modified it to DROP packets that we don't want to enter or leave the VPN interface. I haven't tested its functionality other than to ensure that my syntax is correct, and that iptables will accept it. I removed -p udp,as that should be redundant anyway.</pre>
</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Apr 4, 2013 at 5:02 PM, Dominik George <span dir="ltr"><<a href="mailto:nik@naturalnet.de" target="_blank">nik@naturalnet.de</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<div class="im"><br>
> What are your current set of firewall rules you are currently using?<br>
<br>
</div>What I am using is exactly what you proposed, with all policies being ACCEPT.<br>
<br>
I assume that the discovery broadcasts would be mentioned in Tinc's<br>
debug output - at debug level 5, I do not see anything about it. That's<br>
why I concluded they aren't sent.<br>
<div class="im"><br>
-nik<br>
<br>
--<br>
* mirabilos is handling my post-1990 smartphone *<br>
<mirabilos> Aaah, it vibrates! Wherefore art thou, demonic device??<br>
<br>
</div>2013-05-19 - 05-21 Geocaching-Tour Hamburg (2 Betten frei)<br>
2013-06-28 - 06-30 <a href="http://project-eck.de" target="_blank">http://project-eck.de</a> Koblenz<br>
2013-08-01 - 08-04 <a href="http://berlin-mega.de" target="_blank">http://berlin-mega.de</a> Berlin (2 Betten frei)<br>
2013-08-28 - 09-02 <a href="http://prora2013.de" target="_blank">http://prora2013.de</a> Rügen<br>
2013-12-27 - 12-31 30c3 Hamburg (2 Betten frei)<br>
<div class="HOEnZb"><div class="h5"><br>
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296<br>
</div></div><br>_______________________________________________<br>
tinc mailing list<br>
<a href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>
<a href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
<br></blockquote></div><br></div>